There is really no better time to get into software security than now. The field is beginning to explode, mostly due to incredible commercial demand. Turns out that we've built boatloads of pretty bad software over the years, and now that security is being taken more seriously, there's one heck of a cleanup job to do. That's right, we can't solve the problem in "look ahead" mode only. We need to spend some time fixing what we've already built. The cool thing about the touchpoints is that many can be applied just as well to existing software as to new projects. For example, performing an architectural risk analysis on an existing system is well within the realm of possibility. Getting started in software security is easier than ever. Now there's an entire shelf full of software security books (see Chapter 13), best practices like the touchpoints have been identified, and organizations are looking to build capability. Knowledge managers are creating schemata and taxonomies of software security knowledge, making it much easier than it was just a few short years ago to get started. And the tools don't suck anymore. If you are a software person interested in security, consider becoming a software security person. We need you! |